OAuth 2 An Introduction – 101 Session

From IIW

OAuth2: An Introduction (101 Session)


Tuesday 1B


Convener: Justin Richer

Notes-taker(s): Allyn Chen


Tags for the session - technology discussed/ideas considered:


#OAuth 2.0 # Authorization protocol.


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Introduction to OAuth 2.0


  • What is OAuth 2.0 

Delegation protocol that lets people allow applications to access things.

Client in OAuth is the software that tries to access the protected resources. 


  • Old way
    • Copy the resource owner's credentials and replay them to the protected resources.

Problem: need give the key, no management on the access. 

    • Universal key
    • Service-specific credentials


  • Authorization server

the Authorization server gives us a mechanism to bring the gap between clients and protected resource

    • Generates token for the clients
    • Authenticates resources owner
    • Authenticates clients
    • Manages Authorizations


  • OAuth token is opaque


  • OAuth 2.0
    • Modularized concepts
    • Separate previously conflated components


OAuth 2.0 defines common concepts and components and different ways to mix them together.

Therefore OAuth is not just a protocol, it is an ecosystem today. 


OAuth Is not:

Not defined outside of HTTP.

No User to User Delegation. (OAuth is targeting to allow the user to software delegation)

No Authorization processing.

No Token format

No encryption method. 

Not an Authentication protocol.


  • Step by step

1. Client redirects the customer to OAuth Authorization server.

2. Resources owner Authenticates with the Authorization server

3. Resources owner authorize the client.

4. The authorization server redirects resource owner back to the clients with an authorization code.

5. Clients send the Authorization code to the Authentication server's token endpoint. (Clients Authenticates using their own credentials.)

6. The authorization server issues an OAuth access token to the clients. 

7. Clients access protected resources using the access token.


Refresh token:

  • Issued alongside the access token.
  • Used for getting a new access token.
  • Not good for calling protected resources directly.


Scope:


Type of action.

Type of resources.

Limits of access time.



OAuth protocol is flex. Drives to a lot of different protocol.

1. Implicit flow.

2. clients credential flow.

3. The resources owner password flow 

4. The device code flow.